Nvidia has disclosed a security vulnerability with its GeForce Experience software for GeForce graphics card owners that could allow an attacker to execute and escalate privileges for arbitrary code, and carry out denial-of-service attacks. All versions of GeForce Experience prior to version 3.18 are vulnerable, if the ShadowPlay, NvContainer, or GameStream features are enabled. Nvidia advises all users to upgrade to the latest available version to be safe. The risk has been assessed as high severity. Nvidia has thanked and credited David Yesland of Rhino Security Labs for discovering and reporting this security problem.
According to Bleeping Computer, the threat requires an attacker to have access to affected PCs, which limits the potential for misuse. However, other malicious tools that allow remote access to PCs could be used in conjunction with this vulnerability. Not only could an attacker execute malicious code without requiring elevated privileges, but they could also carry out a denial-of-service attack that would result in the affected PC becoming unusable.
The vulnerability allows malicious code to be substituted for what affected versions of the GeForce Experience software is expecting because it failed to check for hard links, or explicit pointers to resources. No user interaction is required to allow malicious code to be executed, and only the usual low privileges are required.
Nvidia has stated that its risk assessments are based on an average threat level for all PCs with the affected software installed, which means that some specific installations and configurations are more vulnerable than others. However, all users are advised to update to the latest version of GeForce Experience either by downloading it directly from Nvidia’s website or by running the software’s built-in auto-updater.
Nvidia currently has the lion’s share of discrete GPUs across desktops and laptops, with the latest Steam Hardware Survey pegging its install base as slightly over 75 percent, compared to just under 15 percent for AMD. Of course that figure represents gamers, not the entirety of PC users.
The GeForce Experience software is used to manage automatic driver updates, and allows gamers to use profiles for games that will optimise settings for better gameplay on their PCs depending on their configurations. The affected features are those that let users capture and share gameplay video, and stream games from a PC with a GeForce GPU to another device such as a portable console.